Effect of code signing on plugin binaries + question on entitlements

So, apparently I now also had to start code signing my plugins themselves (I was already using productsign for my installer) in order for the installer to get through the notarization process, and I have 3 questions (or confirmation requests, if you will):

Does code signing actually modify the binary artefacts of your plugins?

As far as I understand it, code signing just calculates some things on your .app, .component or .vst bundle, and then stores the result of that into a _CodeSignature/CodeResources file in your bundle, without actually modifying your file /Contents/MacOS/MyPlugin itself, right?
I ask because we use some kind of own “checksum writer” to replace an array of characters in the built binary artefacts with some calculation of our own based on the binary’s contents, and that written “checksum” then gets checked at runtime to see if the binary file was tempered with or not.
If code signing modifies the binary itself, then our own calculation is wrong, unless we do the modification after Apple’s code signing, but then that calculation is wrong…

If my plugin uses the network for update checks (user preference), do I need special entitlements for the hardened run-time option when code signing?

For a standalone app, I added the hardened run-time entitlement to use audio (microphone), but I don’t think I need to add any entitlements for plugins, or do I? The only thing I thought of was perhaps for accessing the network (for update checks), but I couldn’t find a specific setting for that for the hardened run-time entitlements, so I assume there is nothing to do for that?

I’m currently not doing anything special regarding (Apple) code signing for my AAX plugins, apart from using PACE wraptool of course. Is that sufficient?

The installer containing the VST, AU and AAX plugins gets through the notarization process, even though I’m only code signing the VST and AU bundles, and the AAX plugin seems to work fine in Pro Tools, so I assume I don’t need to Apple code sign the aAX bundle. Is this correct?